Random Linear Network Codes for Secrecy over 
Wireless Broadcast Channels 



Shahriar Etemadi Tajbakhsh 
Research School of Engineering 
The Australian National University 
Canberra, Australia 
Email: shahriar.etemadi-tajbakhsh@anu.edu.au 



Parastoo Sadeghi 
Research School of Engineering 
The Australian National University 

Canberra, Australia 
Email: parastoo.sadeghi@anu.edu.au 



m 
o 



CO 

O 



> 
(N 
00 

o 

in 
o 

m 



Abstract — We consider a set of n messages and a group of 
k clients. Each client is privileged for receiving an arbitrary 
subset of the messages over a broadcast erasure channel, which 
generalizes scenario of a previous work. We propose a method 
for secretly delivering each message to its privileged recipients in 
a way that each receiver can decode its own messages but not the 
others'. Our method is based on combining the messages using 
linear network coding and hiding the decoding coefficients from 
the unprivileged clients. We provide an information theoretic 
proof for the secrecy of the proposed method. In particular we 
show that an unprivileged client cannot obtain any meaningful 
information even if it holds the entire set of coded data packets 
transmitted over the channel. Moreover, in our method, the 
decoding complexity is desirably low at the receiver side. 

I. Introduction 

Wireless medium is potentially vulnerable to different types 
of security attacks as the information is broadcast in the air and 
might be easily accessed or manipulated by an unprivileged 
party. Specifically, secrecy of transmission sessions is a major 
concern which implies the necessity of cryptographic methods 
against eavesdroppers. On the other hand, recent advances 
in cooperative networking schemes unveils the advantage of 
cooperation among wireless devices as a consequence of diver- 
sity in wireless channels. Despite the benefits of cooperation, 
it might increase the security risks in presence of dishonest 
participants. As a major class of such cooperative settings, 
network coding techniques require that the wireless devices 
to be enabled to listen to transmission sessions which are not 
necessarily intended for them and buffer what they hear on the 
channel as side information. Because of diversity in packet 
reception at different users, the sender might benefit from 
network coding techniques to merge multiple transmission 
sessions into one IH-Q, etc. As the users are supposed to 
buffer and process some messages for which they are not 
their target recipients, some mechanisms should be designed to 
protect the secrecy of those messages during the cooperation. 

In this paper, we consider k wireless users which are 
connected to a base station and share a broadcast erasure 
channel. Each client is interested in receiving an arbitrary 
subset of n messages. The clients are enabled to listen to all 
the transmissions over the channel and save what they receive 
in their buffers. As each client might have missed some parts 
of information which it needs to decode its own messages, 



either the base station should retransmit the missing parts or 
the clients should cooperate with each other to obtain the 
missing parts. We propose a method to maintain the secrecy 
of individual messages against any unprivileged party (either 
those clients who are not the target recipient of that message 
or any external eavesdropper). The essence of the proposed 
method is to combine all the messages together at the base 
station regardless of their target recipients using a special form 
of random linear network coding and broadcast the resulting 
packets to all the clients; Each client privately receives a set 
of decoding coefficients which enables it to decode its own 
messages but not the others'. In other words, the main idea 
is to protect the decoding coefficients against unprivileged 
parties. 

A brief summary of the contribution of this paper is as 
follows. We propose a method to maintain the secrecy of 
transmissions over a wireless broadcast channel by coding 
the messages using a special form of random linear network 
coding. This paper extends the scenario discussed in [6| to a 
general scenario that each client is interested in an arbitrary 
subset of messages. Also we prove that using our proposed 
method, the eavesdropper or any unprivileged client can not 
obtain any meaningful information about the messages. More- 
over, our proof implies that the field size of operations can 
be kept small which substantially reduces the computational 
complexity especially at the receiver side which is a crucial 
improvement over J6]. 

The rest of this paper is organized as follows. In section HI] 
the position of this paper within the literature is highlighted. 
In section [Til] the proposed system is introduced and some 
specifications and advantages of our proposed method is 
discussed. Section [TV] provides a clarifying example of the 
entire system. Finally, in section [V] secrecy of the proposed 
method is proven. 

II. Related Work 

This paper is an extension of the work in [6|, where only 
eavesdroppers with bounded computational power were con- 
sidered to wiretap a shared broadcast channel. In the current 
paper, we provide an information theoretic proof for security 
of the proposed method and we show that an eavesdropper 
would not be able to obtain any meaningful information 



about the protected messages. Moreover, in [6| each client is 
only interested in a distinct message while the current paper 
generalizes the proposed method to the scenario that each of 
the k clients is interested in receiving an arbitrary subset of 
n messages over a shared broadcast erasure channel. Also, 
unlike [6|, in this paper we operate over a field size of 2 as it 
is shown that the field size is not needed to be large. 

We take the security advantages of random linear network 
codes (RLNC |7|) in this paper. In [8| the achievable rate 
region of network coding with perfect secrecy in presence 
of an eavesdropper (which is able wiretap some of the links 
in a multicast scenario) is characterized. Perfect secrecy is 
a strict constraint which is hardly satisfied and dramatically 
degrades the throughput of a multicast network. This condition 
is relaxed in [9| to a weaker security condition which is still 
satisfying in a practical sense. Weakly security guarantees that 
the eavesdropper can not obtain any meaningful information 
about the messages. In this paper, we take this definition of 
security to prove the secrecy of our method. The capacity 
region with perfect secrecy constraint over a broadcast channel 
is characterized in [ 1 1 and a method is proposed to achieve 
the identified capacity region. Since we have relaxed the 
condition of perfect secrecy, higher data rates can be achieved 
using our proposed method. 

On the other hand our proposed method is based on 
protecting the decoding coefficients of linear combinations 
of messages from eavesdroppers. Similar concept has been 
considered by ifTTI . Ifl2l where ifTTI provides information 
theoretic bounds and theorems to guarantee that the mutual 
information between the transmitted information over the 
links and respectively, the coding coefficients or the original 
messages is small and zero under some special conditions. 
In lfl2ll a coding scheme is proposed (based on protection 
of coding coefficients) for multi-resolution video streaming 
where each client receives a number of layers of the video in 
a successive refinement fashion according to its subscription 
level. Therefore, the rest of layers should not be revealed to 
this specific client. Our proposed coding algorithm provides 
a substantial freedom to generalize the code protection based 
methods to a scenario that each client is interested in an arbi- 
trary subset of messages which distinguishes our work from 
IfTTI . Ifl2l (In particular, we protect the decoding coefficients 
rather than encoding coefficients). Moreover we provide a 
method to update the decoding coefficients periodically which 
improves secrecy. 

Another important feature of our proposed scheme is its 
low complexity which is a major issue due to matrix inversion 
operations required to decode network coded based schemes. 
This problem has been addressed in different studies such as 
lfT3l in terms of computational power and energy consumption 
limitations of wireless devices. In our method, this burden has 
been shifted to the base station which often has considerably 
larger computational resources and theoretically unlimited 
energy than the small receiver devices. In our scheme, the 
devices are only supposed to generate linear combinations of 
the packets they have received over a small size finite field. 



III. System and Model 

We consider a set of n messages X — {xx, . . . ,x n } and a 
set of k clients C — {ci, . . . , Cfc}. Each client Cj is interested 
in receiving an arbitrary subset of messages \i ^= X from 
a common base station. Each message Xi is composed of T 
elements each drawn from a finite field ¥ q of size q and is 
denoted by x^' . For the ease of our analysis and also to reduce 
the decoding complexity at the receiver side, we assume that 
all the operations are done over a finite field size of 2, i.e. F2. 
We consider T rounds of transmission, where at each round 
1 < t < T, the set of elements X® = {x^\. . . , x$} should 
be delivered to the clients at the end of round. The set of 
clients who are the privileged recipients of message Xj are 
denoted by Rj = {c u : xj e \u}- 

Each round of transmission incorporates three phases (1) 
The set of elements X^ are encoded as it will be described 
later and the set of encoded elements (denoted by Pw = 
{Pi , ■ ■ ■ , Pn}) are transmitted over a shared broadcast 
channel to all the clients. Each client Cj might receive each ele- 
ment with a probability 1—pi- (2) The missing packets by 
the clients at each round should be retransmitted by the either 
the base station or by the clients if the clients have received 
the set of encoded elements collectively. (3) The base station 
provides a set of decoding coefficients privately to each client 
where each client is enabled to decode its own set of elements 
but not the other ones', therefore the secrecy of individual 
messages are maintained. In the following, the three mentioned 
phases are described. In section [IV] a comprehensive example 
is provided to illustrate the entire process. 

• Broadcast Phase: At each round i, the base station gen- 
erates the set of encoded elements by solving the system 
of equations = A^pW, where = [a y ]„ xn 
is a matrix of randomly chosen elements a>ij from the 
finite field ¥ q , PW = [P^] nX x is the vector of encoded 
elements and = [if'] nx i is the vector of message 
elements at round t. The set of encoded elements PW 
is broadcast to all the clients by the base station. To 
recover a message xf\ a corresponding client Cj for 
whom Xi € Xj, needs the z'th row of matrix A^- 1 denoted 
by A^ , as x^ = A^'pW. To prevent unprivileged 
clients i.e. Ri or any other external eavesdropper to 
obtain message xi, the vector A^*' should be delivered 
privately and securely to each client c u 6 Ri as a secret 
key. The process of delivering these vectors of decoding 
coefficients A^ to the corresponding set of privileged 
clients Ri is central to this paper and will be discussed 
extensively immediately in this section. 

• Packet Recovery Phase: As mentioned earlier, we model 
the channel between the base station and each client Ci as 
an erasure channel, i.e. we assume each encoded element 
is received by the client Ci with a probability 1 — pi. 
Hence, the missing packets should be either retransmitted 
by the base station or provided via cooperation among the 
clients by exchanging the missing chunks of information 
with each other. Detail of the network coded based 



retransmission schemes is not at the scope of this paper 
(We refer the reader to |]6] for more information). 
• Key Sharing As mentioned earlier, we need to provide 
the sets of decoding coefficients privately to privileged 
clients. Our method is based on a hybrid private-public 
key scheme, where an initial key is associated to each 
message Xi. Each initial key is composed of two com- 
ponents and can be represented as a pair of functions 
K-i = (7r^,Ki). As the first component of the function 
ICi, permutation function is formally defined as follows: 

Definition 1. A permutation function of the set N = 
{1, . . . , n} is a one-to-one and covering function denoted by 
v = 7r^. (u) which randomly maps each element u in N to an 
element v in N. i is an arbitrary index which is used later to 
identify the index of the corresponding message. 

Definition 2. A vector permutation function maps a vector 
u = [u\ . . . u n ] to a vector v = [v\ . . . v n ] such that Vj = 
7r^.(uj-), Vj G N. Also, we denote the vector [1 . . . n] by n. 

The second component of the initial key is Ki : N — )• F2 which 
maps each element j E N to K l (j), Vi, j G N where 
has been chosen randomly from a uniform distribution over the 
finite field F2 (i.e. prob(K l (j) = 1) = | and prob(K l (j) = 
0) = \. Vi, j G N. The initial key ICi is fixed during all the 
T rounds of transmission and is privately provided to a client 
Cj if Cj G Ri. The set of initial keys can be either physically 
delivered to the clients (e.g. as a part of their hardware), or 
can be distributed using a method similar to ifTOl where it is 
expected that after sufficient number of transmissions each set 
of privileged clients can pick a key which has not been heard 
by the others. 

The base station generates a vector of n randomly chosen 
elements from F 2 at each round of transmission (or possibly at 
the beginning of a period of multiple of transmission rounds) 
denoted by v^t) called as regenerating vector and broadcast 
it publicly to all the clients. The decoding coefficients are 
determined by this vector for all the messages from the base 
station according to the following equation: 

Af = Kl (irHh)) + v(t) (1) 

In other words, the initial key /Q acts as a function which 
operates on a publicly announced input, i.e. the regenerating 
vector (possibly at each round t or at the beginning of a period 
of multiple of transmission rounds) to generate the vector of 
decoding coefficients A^. Therefore the vectors a|*' can be 
renewed at each round of transmission with an overhead of 
n bits. However, it should be noted that the same vector v^i) 
is applied to initial keys of all users {/Ci, . . . , /C„} at round t 
(otherwise a huge amount of overhead is imposed). 

The outcome of the encoding process over the messages 
is broadcast to all the clients and each client Cj would be 
able to decode its own message by computing a|*'P^. In 
the following, some features of the proposed system is briefly 
discussed: 



1) We used the linear network codes in a reverse direction, 
i.e. instead of generating linear combinations of the 
messages (P = AX) and broadcasting them over the 
channel, a system of linear equations (X = AP) 
is solved at the base station to generate packets P. 
Therefore, each message is related to the set of packets 
with a distinct set of decoding coefficients which enables 
us to generalize the proposed method to the scenario 
that each client is interested in an arbitrary subset of 
messages without violating the secrecy of other clients 
(As each client is provided with only the decoding 
coefficients necessary for decoding the messages that 
it is privileged for). 

2) Reversing the direction of coding scheme mentioned in 
the last item, also has the advantage that reduces the 
complexity at the receiver side which might potentially 
have limited power resource and computational capacity. 
In our proposed scheme, the receiver only needs to com- 
pute a linear combination of packets for each message 
instead of inverting a matrix. 

3) The role of regenerating vector is to update the decoding 
coefficients to maintain the uniformity of the decoding 
coefficients distribution which is necessary for our proof 
as it will be discussed in section [V] The role of per- 
mutation functions in the initial keys is to produce a 
huge space of possibilities that makes it computationally 
hard to guess the decoding coefficients or obtain any 
information about them. The amount of leakage of 
information specially in the case of non-uniform mes- 
sages is an interesting topic for further investigation (for 
uniform messages some bounds and theorems have been 
established in ifTTI ). The regenerative vector updates 
is expected to play a role in minimizing the leakage 
of information in this case. The regenerative vector 
can be updated periodically after multiple rounds of 
transmissions (rather than updating at each round) but 
possibly at the price of some information leakage. 



IV. An Example 

In this section, different parts of the proposed system is dis- 
cussed through an example. Suppose we have four clients C = 
{ci, . . . , C4} and a set of seven messages X — {xi, . . . , X7}. 
Each message is composed of 64 bits, therefore we have 64 
rounds of transmission t = 1, . . . , 64 where at each round one 
bit from each message is transmitted to the target recipients. 
We assume the sets xi = { x 2, £4, £7}, Xi = { x i> x 3> x a}^ 
X3 = {x 1 ,x 2 ,x 3 ,x 5 ,x 6 } and \i = {^2, x 5 , x 6 , x 7 } are 
demanded by clients ci, 02,03 and C4, respectively. 

Table U shows the set of initial key pairs for each message. 
Now consider one round of transmission say t = 24. Suppose 
the random regenerating vector produced by the base station 
for this round is = [1 1 0]. The base station 

builds the matrix A^) by computing the equation Q] for each 



TABLE I 
Initial Keys 





= [2 7 6 4 1 5 3] 


«i = [1 1 1 1] 


K 2 


71-^ = [4 351267] 


«a = [1110010] 




tt^ = [5 2 4 7 3 1 6 ] 


k 3 = [0 1 1 0] 




^ = [3 1 7 6 5 4 2] 


K4 = [1 1 1 1 1] 


/C S 


71-^ = [2 165743] 


«5 = [0 1 1 1 1] 




tt^ = [3 256724] 


« 4 = [1 1 1 1 0] 


/c 7 


tt 4 ~ =[1 3 7 5 4 2 6] 


« 4 = [1 1 1 1] 



pair of initial keys /Ci, . . . , K? and i^- 2 ^ which results in: 



/ 1 
1 1 



A (24) = 



1 \ 




10 1 
10 10 
1110 
1 1 
110 1111 

1 



\ 1 1 1 1 / 

It is easy to check that det(A( 24 )) ^ 0. If the base station 
comes up with a singular matrix, it is deleted and a new 
matrix is generated. It should be mentioned that the order of 
transmission of the regenerating vector and the coded data 
elements (P i s) is not important as long as it is based on a 
common protocol between the sender and receivers. Therefore, 
a batch of coded elements with their corresponding regenerat- 
ing vectors might be packed in a packet (and the result can be 
encoded using any error correction codes) and transmitted to 
all the clients. For instance, , Vf S {1, . . . , 64} and the i'th 
element of all regenerating vectors P^t),Vt — 1, ... ,64 plus 
the error correction code bits can be packed as a unit packet Pj 
by the protocol. Each receiver can acknowledge the reception 
of each packet (here by a packet we mean the packed version 
of the mentioned components) as it would be extremely costly 
to send feedback for each bit and is not practical. However, 
separate operations are performed over each bit according to 
the corresponding decoding coefficients. 

Initial keys can be distributed via any secure private channel 
or by using a similar method to ifTOl . The basis of key sharing 
method in IfTOl is to take the diversity of packet erasure 
patterns over the downlink wireless channels between the base 
station and the wireless clients as an opportunity to provide 
secret keys to the corresponding clients. In [10], the base 
station starts to generate random messages and broadcast it 
to all the clients. If a message is received only by a client 
c but not by the other ones it can be used as a key shared 
between c and the base station. If a key K, is shared with 
client c, a message u is encoded as x = (J ® K similar 
to the so-called one-time pad of Shannon 03). If x is only 
received by c but not by the other clients, then K, can be 
reused, otherwise JC is burnt and a new key should be used 
for sending the next message to c. We can use the same 
approach to distribute the initial keys, but the initial keys are 
not required to be renewed which substantially reduces the 



the amount of transmission (and consequently increases the 
throughput) at the price of relaxing the secrecy condition to 
weaker one but practical yet. To apply the method of |[T0l 
to our problem which is more general in a sense that each 
client might demand an arbitrary subset of the messages, the 
base station should keep transmitting random messages (of the 
format /Q = (tt%, «i) until a case is observed that all clients 
belonging to Ri have heard it but not any of the other clients. 
This might be considered very costly in terms of throughput 
efficiency specially if the number of users is large, however it 
should be noted that this only happens once at the beginning 
and only the regenerating vector tf-t) is transmitted publicly 
at each round afterwards. Therefore if T — > 00 the overhead 
of initial key sharing will tend to zero. However, as mentioned 
earlier, the initial keys can be shared using any type of secret 
key management method. 

As mentioned earlier, the packet recovery can be accom- 
plished either by the base station or via cooperation. In flS], we 
assumed that the operations are done over a large field size and 
some elements of each row Aj might have been set to be zero. 
Therefore each needs to send a negative acknowledgement 
(NACK) for those packets which have not received and need 
them according to A$. As the operations are done over field 
size 2 in this paper, if a client sends a NACK only for 
those packets in its wants set which are not received, some 
entries in Aj would be disclosed which violates the secrecy. 
Therefore, each client should send a NACK for all its missing 
packets. Then the packets can be recovered using the methods 
developed in |2|. |4|. [15], [16] for retransmission via the base 
station or via cooperative data exchange ifTTl — lH9l . 

V. Proof of Secrecy 

In this section we prove that the aforementioned scheme in 
section [HI] is weakly secure in an information theoretic sense. 
The concept of weakly security introduced in J9) implies 
that an unprivileged party can not obtain any meaningful 
information about a message intended for a group of privileged 
users. Weakly security relaxes the perfect secrecy condition 
(which does not allow any information to be leaked to an 
unauthorized party) to a weaker but more practical condition 
of security Il9l . 

Consider the set of transmitted packets and also let 
G C JW. We assume each client has only received the set 
of keys which is privileged for, i.e. Cj or any other external 
eavesdropper E does not hold K.j if Cj ^ Rj. The following 
theorem states the main result of this paper (assuming the 
regenerating vector is updated at each round): 

Theorem 1. An unprivileged client for packet Xi or any 
external eavesdropper E can not obtain any information 
about any individual message xf \ i.e. I{xf;P^\G) = 0, 
assuming that E initially holds G and x^p ^ G. 

Before proving the theorem a few lemmas are proven 
or stated. The first lemma proved by Gallager is borrowed 
from [20|-[22| where the probability distribution of a linear 
combination of random variables over a finite field is studied. 



Lemma 1. Let f3\, . . . , fi n £ GF(2) be random variables over 
the field with prob(fii = 1) = Sn, and let mi, . . . ,m n £ 
GF(2). Then the probability distribution of the linear combi- 
nation s — rrii/3i is computed as follows: 

^.-D- '-iEf- 25 "\ (2) 

Prob(s = 0) = 1 - Prob(s = 1) 

Lemma 2. Suppose that A* = [a*j] nxn is a matrix of random 
elements a*j £ F2, where prob{u*j — 1) — prob{a*^ = 0) = 
\i Vi, j £ h. Let X* = A*P* be a system of linear equations 
for known vector X* = [x\ . . . x* ] and the vector of unknowns 
P* = [p\ . . -Pn]. Then if the system is rewritten in the form 
X = AP* using Gaussian elimination method, where A = 
[&ij]nxn is an upper triangular matrix, assuming the last entry 
p* n written in the form Jntx* + • • • + 7rmX*, then prob^m — 
1) = prob(j ni = 0) = \. 

Proof. To transform the matrix A* to an upper triangular 
matrix A, row and column operations are applied to A* in 
a way that at the end of the elimination process, all entries 
ctij =0, Vj < i — 1. Depending on the value of the element 
(£,i), row j > i is added to row i with probability h (if 
the element (t, i) is 1, otherwise no action is required for 
this element which happens with probability |). It should 
be noted that all the rows I that i < I < I might have 
been affected by the row i with probability | (by affected 
we mean that row i has been added to row £). Therefore, in 
the last round of elimination process to remove each element 
(n,j < n), one of the previous rows might be added to the 
row n which the row j might be affect even or odd number of 
times by the row i < j with equal probabilities (the proof is 
of equal probabilities is based on considering all possibilities 
of being affected by a previous row and is removed due to 
space limitations). Even number of being affected by the i'th 
row updates the coefficient j n i to be zero and odd number of 
being affected by the i'th row ends up with j n i = 1. Therefore 
prob(j ni = 1) = prob(j ni = 0) = |. □ 

Now the proof of Theorem [TJ is established using Lemma [TJ 
and Lemma 12 

Proof. It is easy to show that p[Kj(7r l (no)) = 1] + u(t) = \. 
as the regenerating vector is assumed to be drawn from a 
uniform distribution. Therefore the elements of A^> would 
have a uniform distribution over F2. Using lemma |2j it is 
showed that each packet P^ (which can be considered as 
the last element of A* by swapping the rows) can be written 
in the form 7,ixJ + • • • + JinXn (if me matrix A 1 -^ is not 
singular), where prob("f n j = 1) = prob^nj = 0) = h. 
Consequently, using lemma [TJ it is proven that prob(P^ = 
1) = prob(P^ — 0) = i. Therefore, each packet is 
independent of any individual message x"p . Hence, it can be 
concluded that I(x\ t) ; P^\G) =0. □ 
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